search

formula1 / NodeOS-Blog

Blog for NodeOS based off github issues
7 stars 3 forks source link

Bad issues list request: 403 #1

Open formula1 opened 9 years ago

formula1 commented 9 years ago

API rate limit exceeded for 104.33.18.112. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)

This is due to not creating an application or authorizing requests.

Some Psuedocode is here

Person Accesses the Blog
-When there is an error - To view more, please login with github (Your public information will not be saved, used or read. Its only done to avoid the rate limit)

Person Logs in With github
-They are then redirected to a server that is not based off github pages

That server finishes up the authentication
-They are then redirected to the blog with a OAUTH token as a get parameter

The Web App reads the parameter and then uses it in all future requests
formula1 commented 9 years ago

Issue with that actually is its insecure. Sending a get request cannot be encrypted. However, since I cannot read a webpages own headers nor send post data to a static website I don't see other options

piranna commented 9 years ago

Using the GitHub credentials of the user viewing the blog (not ours, or a custom app API key) would override the GitHub limits? If so, it would be a nice trick... :-D :+1:

formula1 commented 9 years ago

I completely agree, the issue is with oAuth. With oAuth, you have to verify that the user is using your application to authenticate. Which means making a post call with your client ID and client Secret. And the client secret should never be shared, otherwise it opens up the door for anybody to use your application. If you are aware of something I'm not, please let me know T__T

piranna commented 9 years ago

Which means making a post call with your client ID and client Secret. And the client secret should never be shared

Sh*t! :-( I suppose it's just to identify what apps/domains are using the data, but doesn't make sense since the important thing is the user using them... :-/ We'll need to look about some alternatives, OAuth2 is the recomended one but maybe we can use the non-web flow... I've only used OAuth two times before and didn't understand it fully, sorry :-(

formula1 commented 9 years ago

After rereading that post you sent, I realized what they are doing for server calls is in YQL. Which yahoo stores. And until yahoo gets hacked, theres no issues.

I read it a too quickly. I saw YOUR_CLIENT_SECRET in javascript and I immediately disregarded the rest. That being said, this is also an option. TOMARROW!

formula1 commented 9 years ago

Hello.js is out as I have to register my app secret with https://auth-server.herokuapp.com/#-auth-server

Though it probably is safe, it feels too sketchy to me

Goiung to try the YQL next

piranna commented 9 years ago

Hello.js is out as I have to register my app secret with https://auth-server.herokuapp.com/#-auth-server

Discarded, then. oAuth.io seems that needs some registration too... :-/ Probably it's how oAuth works, and this services act as proxies... Anyway, I think using them is the way to go, we could change them for our own server (just for oAuth purposses, doh! :-( ) in the future..